本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
Andrew Rathbun at AboutDFIR
New Windows 11 Pro (22H2) Evidence of Execution Artifact! By Andrew RathbunOn January 3, 2023January 3, 2023 By: Andrew Rathbun and Lucas Gonzalez Background In the last week of December 2022, on the Digital Forensics Discord Server, some discussion was brought up by a member in the #computer-forensics channel asking if anyone knew a Windows 11 folder path of interest, linked here. The location in question is C:\Windows\appcompat\pca. This may look like a familiar folder path, as the Amcache res...
DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) By Andrew RathbunOn January 3, 2023 FYSA, the 4624 event that we all know and love in DFIR has been updated to Version 3 as of Windows 11 (22H2). Using the beloved EVTX-ETW Resources GitHub repository that Nasredinne Bencherchali and I have curated, looking at the Microsoft-Windows-Security-Auditing Provider CSV will provide us with a history of all events associated with that Provider (Microsoft-Windows-Security-Auditing). If we ...
Abdul Shareef
Public generated from skills/introduction-to-github Notifications Fork 6 Star 40 Some important DFIR Resources License CC-BY-4.0 license 40 stars 6 forks Star Notifications Code Issues 0 Pull requests 0 Actions Projects 0 Security Insights More Code Issues Pull requests Actions Projects Security Insights abdulshareef/DFIR-Resources This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags Branches Tags View all bra...
Adam at Hexacorn
January 7, 2023 in Excel In my old article I have demonstrated an atypical approach one may take to browse through similarly-looking security artifacts while analyzing a gazillion of similarly looking URls in Excel. I love Excel and been using it for more than 2 decades. It is one of these ‘most important’ but often undervalued tools in our infosec toolkit that we all have an opinion about: we either love it or hate it. And – I must confess that my opinion is supported by what I have witnessed i...
Austin Songer at ‘Songer Tech’
Published 2 Jan 2023 1 min read By Austin Songer Install Timestamp App//github.com/mzdr/timestampWhen Taking ScreenshotsRemember when taking screenshots for evidence that you will upload to your GRC tool of choice you should add a timestamp in the image.This will allow the auditor will know that the evidence was taken during whatever period that will be auditing for. Please see the screenshot below as an example. GRC Share this article: Austin Songer Prev article Mapping Security Controls to the...
Belkasoft
Belkasoft Evidence Center X v.1.11 was tested for its ability to recover data stored in SQLite databases, under the CFTT (Computer Forensics Tool Testing) program by DHS and NIST. The report has recently been published on the Department of Homeland Security website. The general conclusion of the test was positive. The report states that "All test cases were successful" with a small number of exceptions. These exceptions include: Header related information (i.e., page size, journal mode informati...
James McGee at DFIR Review
by James McGeePublished onJan 05, 2023CiteSocialDownloadContentslast released3 days agoShow detailsEnriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite DatabaseContents·SynopsisForensics Question: What pertinent data can be obtained from an Apple Watch through the paired device and how can an Examiner/Investigator obtain and display this data in a readable format?OS Version: iOS Versions 14.6, 15.0.2watchOS Version: 7.3.2, 8.1, 8.3Apple Watch Series 3, 42mm Aluminum...
Forensafe
30/12/2022 Friday Windows Notepad++ desktop application is a free open-source text and source code editor. The application has been developed as an extension of the Windows default Notepad application with much more user-friendly features. Notepad++ is also commonly used by programmers as it supports the syntax for most of the popular programming languages. Digital Forensics Value of Windows Notepad++ Desktop Application Notepad++ on Windows can retain useful data as it supports various file ext...
30/12/2022 Friday TikTok is a social media platform and mobile application that enables users to create and share short videos set to music. The app was initially launched in 2016 under the name Musical.ly and was subsequently merged with the Chinese social media app Douyin in 2017. TikTok is renowned for its short-form, lip-sync, and comedy videos, as well as its user-generated content and creative challenges. The app can be downloaded for free from the App Store or Google Play Store and is ava...
Forensics [Insider]
Howard Oakley at ‘The Eclectic Light Company’
[…] LikeLike Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Out / Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Δ T...
Korstiaan Stam at ‘Invictus Incident Response’
A case study — Part 1IntroductionWe are passionate about incident response in the cloud, therefore we decided to share some of our knowledge based on a recent IR case in AWS. This 3-part blog series is written by Cado Security and Invictus Incident Response.BackgroundAn incident was discovered during an account audit of the Amazon environment of a client. A new super user account was found and no one recognised it which triggered an incident. In this blog we will walk through the incident using ...
Terryn at chocolatecoat4n6
Investigation Framework | Part 5 – Timeline Analysis January 5, 2023January 5, 2023 / ChocolateCoat Investigation Framework Incident Scoping Evidence Collection Analysis Correlation Timeline Analysis Intelligence Correlation Reporting Timeline Analysis We’re past the halfway point! Even if you think you covered everything with your analysis and correlation, sometimes you need to put things to see the bigger picture. Here we will be covering creating potentially the most important aspect of an in...
Uros Babic
How to Investigate Security Incidents in Azure — Forensic Acquisition of VMs in AzureWhen a security incident is detected on the Azure cloud platform, forensics investigators in criminal investigations must examine the log data collected from various sources. If a virtual machine is found to be affected of compromised, it is important to take a snapshot of the OS disk of the VM for further investigation.Create Snapshot of the OS disk of the Affected Ubuntu-Uros Virtual Machine via Azure PortalDF...
